Hackers Exploited Zero-Day Vulnerability in Zimbra Email Platform to Spy on Users
Advancing Product Labels to Help Consumers Consider Cybersecurity
February 17, 2022Texas RE Align Release 3 Training Opportunity
February 17, 2022
Summary:
A threat actor, likely Chinese in origin, is actively attempting to exploit a zero-day vulnerability in the Zimbra open-source email platform as part of spear-phishing campaigns that commenced in December 2021. The espionage operation — codenamed "EmailThief" — was detailed by cybersecurity company Volexity in a technical report published Thursday, noting that successful exploitation of the cross-site scripting (XSS) vulnerability could result in the execution of arbitrary JavaScript code in the context of the user's Zimbra session.
Additional Discussion:
LinkThe attacks are believed to have occurred in two phases; the first stage aimed at reconnaissance and distributing emails designed to keep tabs if a target received and opened the messages. In the subsequent stage, multiple waves of email messages were broadcasted to trick the recipients into clicking a malicious link.
In total, 74 unique outlook.com email addresses were created by the attacker to send out the missives over a period of two weeks, among which the initial recon messages contained generic subject lines ranging from invitations to charity auctions to refunds for airline tickets.
